Plus he can make Aeria look better than them, as Aeria haven't been hacked on a large scale (yet)

Just because they haven't publicized it doesn't mean they haven't been hacked.

Given my experience working with website and server security, I'd say it's much more likely that Aeria has thus far been unable to detect most security breaches of this nature. I know that multiple security breaches have been detected, reported, (sometimes) fixed, and none of them were publicized.

No reason to cause mass panic if they don't know for sure that passwords were stolen, right?